This patent document describes methods to evade and avoid interference or false-positives when sending electronic messages with instrumented content to recipients within organizations that use automated messaging security technologies.
Electronic messages with instrumented content (which are sometimes referred to as instrumented messages) include content that enables the sender to passively or actively determine whether and when the specific intended recipient received the message. An instrumented message also may be able to determine what (if any) action the recipient of the message took, such as viewing the message, accessing a URL (Uniform Resource Locator) associated with the message, or opening a file attachment associated with the message. One-time use content may include a URL that includes a unique, complex, time-limited URL that is intended to be accessed by the recipient in order to gain access to a system, signal the sender that the intended recipient of the message took action on the message, or to set a new password within an application.
Legitimate organizations use instrumented messages to determine what happened to the message as it was transmitted and received by the recipient's network devices, servers, user computing devices, or human end user. Instrumented messages contain metadata or other content, which is optionally unique and/or recipient-attributable, that the sender can use to detect when a recipient interacts with the message. Examples of recipient interactions include processing the email by a network device of the recipient; reading the message in a messaging client; accessing the message's header, metadata, and/or body; accessing a link in the message; processing message content; or opening a file attachment associated with the message. When a recipient takes action on the instrumented content of an instrumented message, a notification is triggered by accessing the instrumented content in the message. The notification is received by a network server or other computing device associated with the sender. This notification allows the sender to determine the nature of the action taken that the recipient took on the instrumented message.
Cyber-attacks can occur when an individual or organization targets another individual or organization with malicious messages that are disguised as legitimate. These malicious messages may contain or be associated with malicious content, such as URL links to malicious web sites or malicious file attachments. When the victim user clicks on a malicious link contained within such a message, their web browser (or other associated software based on the nature of the embedded link) will connect to the malicious website that will cause the victim's computing device or connected computing devices to download and become infected with malicious software. If the attack uses a malicious attachment, if the victim opens the file attachment the attachment will cause the victim's computing device or other networked devices to become infected with malicious software. The malicious software can expose the victim and/or his/her organization to security risks by exposing, destroying or altering sensitive data that is stored on the network, or by causing the device or system to serve as a processor for remote activities associated with the cyber-attack.
Many organizations today utilize automated message security systems that inspect all incoming messages for signs of malicious content, links, or attachments. These systems are commonly called sandboxes. Sandboxes are virtual machines or actual computing devices that are programmed to mimic the activity of an intended recipient of a message, but do so in an environment that is separate from the recipient actual computing environment, such as an immutable virtualized desktop environment, to avoid harming the recipient's computer or network if the message is malicious. When a message is delivered to a sandbox, content such as URLs and file attachments are extracted from the message. This content is sent to a web browser or other application within the sandbox where it is accessed by the sandbox's browser or other application, just as if the sandbox was a real user. If the content causes the sandbox to become compromised or behave in a suspicious way, the security system detects this behavior and blocks the message from being delivered to the user's real environment. The sandbox is then terminated, and subsequent messages are processed in the same way. Given the security protections afforded by automated message security systems, the recipient organization cannot disable or make exceptions to this process for specific message senders. All messages must be processed to ensure that they are not malicious.
The challenge facing legitimate organizations that send legitimate instrumented messages is that sandboxes mimic user behavior by accessing the instruments within the message and causing it to appear as if a human end user accessed, viewed, or opened the message, URL, or file attachment. Current instrumented messages do not allow legitimate organizations to easily determine if the interaction was performed by an automated message security system or the intended recipient. Further, systems that may want to ensure the accuracy of data returned from instrumented messages may not be able to avoid interference by automated message security systems.
This document describes devices and methods that are intended to address at least some issues discussed above and/or other issues.